Cloud Security Assessment and Response 


Shyam Raj 
Lead Technical Trainer 


Training Documents 


e Cloud Security Lab Tutorial Supplement 
e Cloud Security Slides 


e You will find the training documents for this course below this training video 
(at the very bottom of the page) 


e No trial accounts are provided for this course, all labs are simulated 


Play Lab Tutorials 


Click to 
open Lab 
Tutorial. 


Navigate to the following URL to view the “Configure Agents for VMDR” tutoriz 


http://ior.ad/7bze 
PLAY 4 http://ior.ad/7bZE 


Maximize 
Screen 


è Tyit AK 


15 steps / 3 mins 


Configure Agents for 
VMDR 


Click Start 
Button 


Nov 2020 by Qualys 


Agenda 


e CloudView 


o | CloudView Connectors 

o | CloudView Resources 

o | CloudView Dashboard and Monitor 
o  CloudView Policies and Controls 

o | CloudView Responses 

o CloudView Remediation 

o  CloudView Exceptions 

o | CloudView Reports 

o | CloudView Access Management 


e Infrastructure as Code scanning 
e Securing AWS EC2 Instances 


e Securing Azure Virtual Machines 


Introduction to CloudView 


CloudView 


e Continuously discover resources in your public cloud deployments 
e Provides historical and near real-time views of your inventory 
e Understand the relationships between your resources 


e Assess resources for misconfigurations and non-standard deployments 


using out-of-the-box or custom-defined policies 
e Remediate misconfigurations and perform resource actions 


e No agents/scanner appliances to deploy 


CloudView Connectors 


Connectors 


e Configuration that allows Qualys to aggregate data from your cloud 
provider accounts via cloud service provider APIs 


e Support for Amazon Web Services, Microsoft Azure, and Google 
Cloud Platform 


e Can be disabled and enabled 


AWS Connector 


AWS Connector 


e One connector per AWS account 


e Create cross-account access with your AWS account using IAM roles 


e Supports Global, US GovCloud, and China region 


e Use the same cross-account role trust for AssetView connector 


AWS Connectors 


1. Create an IAM role from the AWS Management Console 


e Provide Qualys AWS account ID and External ID 


Alternatively, use your own AWS account as base account for connector 


e Attach “SecurityAudit” permissions policy 


2. Use the IAM role ARN to create connector in Qualys CloudView 


Create AWS Connector — Select Trusted Entity 


Select type of trusted entity When creating the IAM 


role, provide: 


mg AWS service Another AWS account © Web ently 7 
ae EC2, Lambda and others Belonging to you or 3rd party cane ded or any OpenID 
= e Qualys AWS 
Allows entities in other accounts to perform actions in this account. Learn more Accou nt | D 
Specify accounts that can use this role © External ID 
Account ID* 805) — e 


Options Require external ID (Best practice when a third part: 


You can increase the security of your role by requiring 
prevents "confused deputy" attacks. This is recommer 
administrative access to the account that can assume 
any characters that you choose. To assume this role, u 
provide this exact external ID. Learn more 


External ID 


US2-66 


Create AWS Connector — Attach Permissions Policy 


~ Attach permissions policies 
Choose one or more policies to attach to your new role. 


Create policy a 


Filter policies v Q SecurityAudit Showing 1 result 


Policy name v Used as 


/ » Ü SecurityAudit Permissions policy (8) 


SecurityAudit policy is a pre-defined AWS policy that provides read and list 
permissions on resources 


Create AWS Connector — Review 


Review 


Provide the required information below and review this role before you create it. 


Role name* 


Role description 


Trusted entities 


Policies 


Permissions boundary 


No tags were added. 


QualysCloudViewRole 


Use alphanumeric and '+=,.@-_' characters. Maximum 64 characters. 


Maximum 1000 characters. Use alphanumeric and '+=,.@-_' characters. 


The account 805 
md SecurityAudit 4 


Permissions boundary is not set 


Create AWS Connector — Summary 


Roles > QualysCloudViewRole 


Summary 


Role ARN arn:aws:iam::636 :role/QualysCloudViewRole | (2) 
Role description Edit 
Instance Profile ARNs wa 
Path / 


Creation time 2020-09-19 15:58 UTC+0100 


Provide the Amazon Resource Name (ARN) of the IAM role on the CloudView 
connector creation page 


Create AWS Connector — Summary 
en AS Comet | 


Connector Details 


Give your connector a name and provide a description (optional). 


Name * 


| AWS Connector AWS C O n n e cto r 


Select Account Type 


© Gobel O US Govcloud O China e provide the IAM Role ARN from 
Polling Frequency AWS 


Configure the interval at which the connector should fetch data from AWS cloud provider. 


Hours Minutes 


4 0 ` e set the desired polling frequency (1 
hour to 24 hours, default is 4 


hours) 


Specify cross account ARN 


Follow steps on the right to create an IAM role in AWS that will give Qualys cross-account 


Qualys AWS ID 


External ID * 


Configurable External ID String * 
1634443310789 


Role ARN * 


arn:aws:iam::636 Wrole/QualysCloudViewRole 


AWS Connector Summary 


Connector Summary 


aws Regions Monitored Resources Discovered Status 
Re A 16/20 1790 Success 


Regions Monitored 


e Regions Monitored 


“Ke 16 


Regions Excluded 


s 0 


Regions with Error 


° 0 


The Connector summary shows connector status, regions monitored, 
and resources discovered 


Create AWS Connector — CloudFormation Template 


Create stack 


Prerequisite - Prepare template 


Prepare template 
Every stack is based on a template. A template is a JSON or YAML file that contains configuration information about the AWS resources you want to include in the stack. 


© Template is ready Use a sample template Create template in Designer 


Specify template 


A template is a JSON or YAML file that describes your stack's resources and properties. 


Template source 
Selecting a template generates an Amazon S3 URL where it will be stored. 


Amazon $3 URL © Upload a template file 


Upload a template file 


Choose file N | CloudFormationTemplate.json 


JSON or YAML formatted file 


S3 URL: https://s3-external-1.amazonaws.com/cf-templates-ydmz1s7ufpkb-us-east-1/2020265TBd-CloudFormationTemplat 
ejson <——_ 


Create AWS Connector — CloudFormation Template 
Specify stack details 


Stack name 


Stack name 


QualysCloudViewRole 


Stack name can include letters (A-Z and a-z), numbers (0-9), and dashes (-). 


Parameters 


Parameters are defined in your template and allow you to input custom values when you create or update a stack. 


No parameters 


There are no parameters defined in your template 


Cancel Previous | Next | 


Provide a stack name for the CloudFormation template 


Create AWS Connector — CloudFormation Template 


QualysCloudViewRole Delete | | Update Stack actions v | | Create stack v | 
Stack info Events Resources Outputs Parameters Template Change sets 
Resources (1 
i 

a & 
Logical ID a Physical ID v Type v Status v Status reason v 
QualysRole Role_For_Qualys_cv 4 AWS::IAM::Role © 

= = CREATE_COMPLETE 


When the stack creation is completed, copy the IAM role ARN and provide it on the 
Qualys CloudView console 


CloudView Base Account 


Create Base Account Base Account 
Title * 
CloudViewBaseAccount ij use your own AWS 
account for AWS 
AWS Account ID * API queries from 
4944 CloudView 
—— ta e provide AWS 
Account ID, access 
Secret Key * key, and secret 
aicanseosussadeceudexecsisssbaccacaseces access key 
Select Account Type ° required for creating 
@) Global US GovCloud China a connector for 
Use in AssetView China region 


Cancel Save 


Azure Connector 


Azure Connector 


e One connector per Azure subscription 


e Supports Global, and US GovCloud 


e Following information is required to create a connector: 
Application ID 
Directory ID 
Authentication Key 


Subscription ID 


e Use the same application ID for multiple subscriptions/connectors 


Create Azure Connector — Register an application 


Register an application 


* Name 


The user-facing display name for this application (this can be changed later). 


f QualysCloudViewApp v| 


Supported account types 


Who can use this application or access this API? 

O Accounts in this organizational directory only (qualys-azure only - Single tenant) 

© Accounts in any organizational directory (Any Azure AD directory - Multitenant) — — 

() Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) 


C) Personal Microsoft accounts only 


Registering an app with Azure AD provides an application definition to Azure 
and allows the service to know how to issue tokens to the application 


Create Azure Connector — Authentication Key 


Client secrets 


A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password. 


+ New client secret 
Description Expires Value 


KeyForQualysCloudView 9/20/2021 Y5~yli25RqVU 


Provide a secret key to authenticate to the application 


Create Azure Connector — Add API Permissions 


Request API permissions 


< All APIs 


A Azure Service Management 
https://management.azure.com/ Docs 7 


What type of permissions does your application require? 


Delegated permissions 
Your application needs to access the API as the signed-in user. 


Select permissions 


Application permissions 


Your application runs as 4 
signed-in user. 


Ø Start typing a reply url to filter these results 


Permission 


W Permissions (1) 


user_impersonation © 


Access Azure Service Management as organization users (preview) 


API permissions: 


e Connector requires 
programmatic access 
to Azure services 


e Allow 
user_impersonation 
permission to allow 
the connector to get 
access on behalf of a 
user 


Create Azure Connector — Add Reader Role 


Add role assignment x Reader role: 


e Built-in Azure role 


Role © ¢ Allows viewing of all 


Reader Dv resources (except 


secrets) but does not 


Assign access to © 


— EN allow making any 
Vv 
Zure user, group, Or service principa changes 


Select © 


QualysCloudViewApp| 


QualysCloudViewApp 


Create Azure Connector — Create Custom Role 


Create a custom role 


DD Got feedback? 


Basics Permissions ° Assignable scopes JSON Review + create 


To create a custom role for Azure resources, fill out some basic information. Learn more % 


* Custom role name © QualysCloudViewRole vV 


Description 


Baseline permissions © O Clone a role @) Start from scratch O Start from JSON 


Create a custom role in Azure to provide required permissions to 
access Azure Subscriptions 


Create Azure Connector — Custom Role Permissions 


microsoft.web permissions 


< All resource providers 
@ Search for permissions to add to your custom role. For example, search for “virtual machines" to find permissions related to virtual machines. 


/config/list/action 


(Gta Data Actions ) 


Description 


E| Permission 


microsoft.web/sites/config 
List Web App's security sensitive settings, such as publishing credentials, app settings and 


Other : List Web App Security Sensitive Settings © constante 


microsoft.web/sites/slots/config 
List Web App Slot's security sensitive settings, such as publishing credentials, app settings and 


m Other : List Web App Slot Security Sensitive Settings © connectian’stangs 


Create Azure Connector — Add Custom Role 


Add role assignment X 
Role © 
| QualysCloudViewRole © e v 


Assign access to © 


Azure AD user, group, or service principal Vv 


Select © 


QualysCloudViewApp 


QualysCloudViewApp 


Attach custom role and Reader role to the application 


Connector Details 


Give your connector a name and provide a description (optional). 


A -COI to 
Account Type 
@ Global US GovCloud 


Polling Frequency 


Configure the interval at which the connector should fetch data from Microsoft Azure cloud provider. 


Hours Minutes 
4 0 


Authentication Details 


Application ID * 
b25a66d5- 


Subscription ID * 


Create Azure Connector - Summary 


Azure Connector 


e provide these details obtained 
from the Azure portal: 


e Application ID 
° Directory ID 
e Authentication Key 


° Subscription ID 


e set the desired polling frequency 
(1 hour to 24 hours, default is 4 
hours) 


Azure Connector Summary 


Connector Summary 
Regions Monitored 
\ 41/41 


Regions Monitored 


Resources Discovered 
90 


Status 


Success 


Regions Monitored 


41 


Regions Excluded 


Regions with Error 


0 


Connector summary 
shows: 


Regions monitored 


Resources 
discovered 


Status 


GCP Connector 


Create GCP Connector 


e One connector per GCP project 


e Use the same service account for multiple projects 


e Enable required APIs on GCP account 


e Create service account, download configuration file from GCP console 
and upload to Qualys CloudView 


Create GCP Connector — Enable APIs 


e Compute Engine API e 
e Cloud Resource Manager API œ 
e Kubernetes Engine API 

e Cloud SQL Admin API 

e BigQuery API 

e CloudFunctions API 


Cloud DNS API 


Cloud Key Management Service 
API 


Cloud Logging API 
Stackdriver Monitoring API 


Create GCP Connector — Create Service Account 


€& _ QualysCloudView “EDIT _ DELETE 


Service accounts are 

used by applications to 
ptn make authorized API 
QualysCloudView ca | | S 


DETAILS PERMISSIONS 


Description 


Email 
qualyscloudview@gcp-qualys-demo.iam.gserviceaccount.com 


Unique ID 


Tr Service accounts use 
Service account status pu bl i c/p rivate RSA key 


Disabling your account allows you to preserve your policies without having to delete it 


© Account currently active p a i rs to a u t h e n ti cate to 
DISABLE SERVICE ACCOUNT G O og | = 


‘Vv SHOW DOMAIN-WIDE DELEGATION 


Keys 


Add a new key pair or upload a public key certificate from an existing key pair. Please 
note that public certificates need to be in RSA_X509_PEM format. Learn more about 
upload key formats 


ADDKEY vd 


Type Status Key Key creation date Key expiration date 


© @aActive d1ba888e8 Sep 29, 2020 Dec 31, 9999 


Create GCP Connector — Service account permissions 


Google Cloud Platform $e Cv360-PP w h products and reso Viewer role provides 
IAM & Admin Create service account read-only Pens sons, 

but cannot modify any 
— @ Service account details — @ Grant this service account data 


Identity & Organization © Grant users access to this service account (optional) 


Policy Troubleshooter 


Organization Policies Service account permissions (optional) 


en) 


eed . 7 Security Reviewer 
Grant this service account access to CV360-PP so that it has permission to 


specific actions on the resources in your project. Learn more p rovides perm issions to 
Service Accounts Role Condition list all resources and 


Viewer — naiton H z 
Labels a IAM policies on them 


Settings Role Condition 
Security Reviewer 4— Kid madison 
Privacy & Security Security reviewer role, with permissions to 
get any IAM policy 


Quotas 


3 
> 
xe 
© 
© 


Cryptographic Keys 
+ ADD ANOTHER ROLE 


Identity-Aware Proxy 


CONTINUE CANCEL 


Lab 1, 2 and 3 


Lab 1 — AWS Connector 
Lab 2 — Azure Connector 
Lab 3 — GCP Connector 


Please follow pages 3 — 7 from the Lab Tutorial 
Supplement 


20 min. 


CloudView Resources 


Supported AWS Resource Types 


e Subnet 

e Network ACL 

e Internet Gateway 
e Load Balancer 

e EC2 Instance 

e Route Table 

e $3 Bucket 

e IAM User 

e VPC 


Auto Scaling Group 
Security Group 
Lambda Function 
RDS 

EBS Volume 

EKS Cluster 

EKS Node Group 
EKS Fargate Profile 


CloudView Resources 


CloudView ~ 


TRIAL DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES CONFIGURATION 
— 


PER GRAN List View 


@ Last 24 Hrs 


17 


Total Resource Types 


Use the dropdown to 
switch to a different 
cloud provider 


ACCOUNT 1-17 of 17 


qualys-customer-... 


498 RESOURCE TYPE SERVICE TOTAL RESOURCES RESOURCES FAILED 


Instance EC2 133 0 


qualys-demo-cor... 


RESOURCE TYPE hd 
Security Group 768 
EBS Volume 188 
Subnet 175 
Instance 133 
Route Table 104 


11 more ¥ 


VPC NEG 70 69 


RDS RDS 4 4 
Subnet NEC ZS 0 


REGIONS Security Group wre 768 562 


N. Virginia 368 
Ohio 308 Route Table VPC 104 0 
Oregon 246 
Mumbai 197 Network ACL VPC 73 0 


N. California 195 


15 more Y S3 Bucket s3 48 48 
Internet Gateway VPC 62 0 
Auto Scaling Group EC2 8 0 


Load Balancer EC2 1 0 0 


~@¢ O28 60H bee 


IAM User bw 41 41 


Use the search bar to 
run queries 


Ee REPORTS CONFIGU 


CloudView Resources 


CloudView ~ DASHBOARD RESOURCES MONITOR 


PNiat-VAea AN ORNATE List View 


Selected 
resource 


type 


Instance v | © instance.type:t2.micro and region:N. Virginia 


U T | Resource.type: Instance @ v Instance Vulnerability | Group By: … v | | Y Filters v 
| 


Total Instances 
C2INSTANGE ID ACCOUNT ID REGION STATE 


Vulnerability 
details for —_ i-069w mn _ = N. Virginia Running 
AWS ACCOUN skipAv _ 


Instances 
detected by quam 8 i-con -_- æ N. Virginia Running 
VM qualya 6 skip_a — a a 


3950 mmm 2 
1-0a49) mame a N. Virginia Stopped 


jumppe 


CloudView Resources — Query Type 


CloudView ~ DASHBOARD RESOURCES MONITOR POLICY 


- Instance 


instance. type: t2.micro 


NYL nietin ll: List View 


Use the EEEN: 
dropdown 1 0 Vulnerability >C vulnerability.typeDetected:Confirmed 
to change | I | 
query type Total Instances 


4 


With Public IP 


Instance Vulnerability | Group By: … 


6 


Without Agents 


| Resource.type: Instance &@ v 


CloudView Resources — Group By 


CloudView ~ DASHBOARD RESOURCES MONITOR POLICY REPORTS  CONFIGU 


PNii Veen AVIAN List View 


Group By options 
depend on the 
selected resource 


1 6 type and view 


Total Instances 


REGIO Account ID 


EC2 INSTANCE ID ACCOUNT ID 


Region 


1-069m === =. …—— = N. Vir 
skipAu VPC 


Running 


ACCOUNT 


ual yee «=== 
qualye am tame 6 
395 2 


j- Oc Ommam — > …— æ N. Vir Instance State Running 


skip_é a —_ Instance Type 


i-0a4> ema — = N.Vit AMIID Stopped 
jumpp 

Subnet ID 
1-035 reen ee me N. Vit Running 


aditi-2: 


CloudView Resources — Filters 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


List View 


Instance >C instance.type:t2.micro and region:N. Virginia 


Resource.type: Instance 3 v | | instance | Vulnerability GroupBy:… V Y Filters v | 


Excluded Vulnerabilities 


EC2 INSTANCE ID ACCOUNT ID REGION 


FF Information 
1-069 ee mn — N. Virginia Rt ver 3, 2020 


Fixed 


skipAu 


Ignored 


1-O CO tee — N. Virginia ver 3, 2020 


skip_e Disabled 


i-0a4- memmen N. Virginia Stuppeu August 26, 2020 8:48 
jumpp PM 


Vulnerabilities of 


type Information 
Gathered, Fixed, 
Ignored, and 
Disabled are 
excluded by 
default 


Pi 


CloudView Resources — Date Range 


RESOURCES 


MONITOR CONFIGURATION 


POLICY REPORTS 


DASHBOARD 


By default, the 
search returns 
results from the 
last 24 hours 


instance.type:t2.micro and region:N. Virginia Last 24 Hrs 


X] 


Today 


ili 3 i v - AL 
Instance Vulnerability | Group By: … Y | | Y Filters 1-160 serdar wv 


FIRST DISCOVERED ON Last 7 Days 


Last 30 Days 


ACCOUNT ID REGION STATE 


N. Virginia Running September 3, 2020 
cesForCustomers... 9:05 AM Last 90 Days 


2c9 _— se N. Virginia Running September 3, 2020 This Month 
ance_detect_by_tr... 9:05 AM HastMonth 


604 N. Virginia 


Stopped August 26, 2020 8:48 Specific range 


PM 


CloudView Resources — Save Search Query 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


instance.type:t2.micro and region:N. Virginia Last24 Hrs v 


Recent Searches > 


Instance Vulnerability | Group By: … v | | Y Filters v 1-16 of 16 le 


ACCOUNT ID REGION STATE FIRST DISCOVERED ON VULNERABILITIES Manage Saved Sea 


Save this Search Query 


a75 N. Virginia Running September 3, 2020 
icesForCustomers... 9:05 AM 


Save your search 
query to quickly 
run again 


CloudView Resources — Saved Searches 


Saved Searches 


Please click to pick a saved search. 
resource.type: Security Group" and securitygroup.inboundRule.ipv4Range:0.0.0.0/0 
resource.type:"S3 Bucket" 
Running Instances 
Publicly accessible RDS 
Publicly Available S3 Buckets 


Non encrypted EBS Volumes in a particular account 


Close 


Supported Azure Resource Types 


e SQL Server 

e Function App 

e SQL Server Database 

e Resource Group 

e Virtual Network 

e Virtual Machine (created using Resource Manager) 
e Network Security Group 

e Web App (App Service) 


CloudView Resources — Azure 


CloudView ~ DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Microsoft Azure v List View 


Q Search for resources discovered... 


Total Resource Types 
RESOURCE TYPE SERVIGE TOTAL RESOURGES RESOURCES FAILED 


SQL Server Azure SQL 1] 


SUBSCRIPTION ID 


Function App App Service 14 
9deI = = 


19c3 
Azure SQL 8 
99640 SQL Server Database 


5711% - 
Resource Group Resource Groups 
RESOURCE TYPE : 
; Virtual Network Virtual Networks 
Network Security... 
Resource Group 7 j 
Virtual Machine Virtual Machine Virtual Machines 
Virtual Network 
Function App Network Security Group Network Security Groups 174 

¥ 3more 
Web App App Service 9 


LOCATION 


Supported GCP Resource Types 


e VM Instances 
e Networks 

e Firewall Rules 
e Subnetworks 


e Cloud Functions 


CloudView Resources — GCP 


CloudView ~ DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


(eoleo [CWO LoVe MEILOM List View 


Q Search for resources discovered... Last 24 Hrs 


Total Resource Types 
RESOURCE TYPE sm | TOTAL RESOURCES RESOURCES FAILED 


VM Instances Compute Engine 12 


PROJECT ID Networks VPC Network 6 
Cp 


ual 
i Firewall Rules VPC Network 65 


RESOURCE TYPE ne VPC Network 
VM Instances 


Firewall Rules 


Cloud Function Cloud Function 
Subnetworks 


Vulnerability Details for Instances 


e Vulnerability details are displayed for AWS EC2 Instances, Azure 
Virtual Machines, and GCP VM Instances 


e The resource must also be detected during a Qualys scan or must 
have Qualys Cloud Agent installed 


e Enhanced information available for resources that also exist in the 
Qualys Cloud Platform 


Enhanced Information 


< Resource Details: i-01aeed7. 


v CLOUD METADATA Summa ry General: 


Summary Instance Name: AVAI 


Network Interfaces z m = cee 
i-01 aeed7 instance i-Olaeed7: 


Associations IN 


Tags 


Instance Type: t2.micro 


First September 6, 2020 12:27 PM 


Discovered 
Instance On: First Discovered On: | September 6, 2020 12:27 PM 


INVENTORY Instance Status: 


SEVIER Vulnerabilities Associations State: running 
stem Information Spot Inst: : 
= 2 Security Group en 


Network Information EN _ 
Potential: 0 Auto Scaling Group 


Confirmed: 2 Last Updated On: October 26, 2020 9:36 AM 
Load Balancer 


Open Ports 


Installed Software 
Oe 


Traffic Summary Location: 


SECURITY Account ID: 2057 


Vulnerabilities Region: N. Virginia (us-east-1) 


Threat Protection Availability Zone: us-east-1e 


EDR 


Certificates Network: 


VPC ID: vpc-1 
COMPLIANCE 


Subnet ID: subnet- 


File Integrity Monitoring 


ip-10-90- 


Associations 


| < Resource Details: AB-TestLB 


View Mode ben 
Associations 


Summary 


SUBNETS SECURITY GROUPS INSTANCES 
Associations —" 


Tags 1-2of 2 
Controls Evaluated SUBNET ID SUBNET NAME AVAILABILITY ZONE 


Listeners subnet-Oebab9c3294f6672b 


10.0.2.0 - ap-south-1b ap-south-1b 
10.0.2.0 - ap-south-1b 
subnet-07d3b2113d5e42222 


10.0.1.0 - ap-south-1a ap-south-1a 
10.0.1.0 - ap-south-1a 


CloudView shows the associations of your resources, for example security 


groups, auto scaling groups, and elastic load balancers associated with EC2 
Instances 


Lab 4 — CloudView Resources 


Please follow pages 8 — 11 from the Lab Tutorial 
Supplement 


10 min. 


CloudView Dashboard 


(e) Qualys. 


Dashboard 


AWS Dashboard ~ 


Last24Hrs v 


FAILURES BY CONTROL CRITICALITY 


Total Failures 
4425 


WB HIGH 3030 
@ MEDIUM 1226 
m Low 169 


SECURITY POSTURE BY REGIONS 


TOP 5 FAILED CONTROLS 


CONTROL RESOURCES FAILED 


Ensure IAM policies are attached only to groups or … 364 


Criticality 


Ensure access key1 is rotated every 90 days or less 351 


Criticality 


Ensure that bucket policy enforces encryption in tra.. 189 


Criticality 


Ensure access keys unused for 90 days or greatera.. 181 


Criticality EEEN 


All Regions 


Total Resources 


it 


2593 > mebooloe 


Inte... Rou..Sec.. VPC La... SubneEBS...Net.. RDS Loainstanc®3 … Aut... IA.. 


Total Failures 


4309 m non zoe ( 


@ MEDIUM 1179 
E Low 168 


A dashboard is made up of widgets, each representing a piece of data 


Dashboard 


Last24Hrs v 


RESOURCE DISTRIBUTION BY TYPE FAILURES BY CONTROL CRITICALITY 


Total Failures 


661 


B® HIGH 496 


EB MEDIUM 105 S 
5 Low 60 


Functi... 


TOP 5 SUBSCRIPTIONS BY FAILED CONTROLS TOP 5 FAILED CONTROLS 


SUBSCRIPTION F CONTROL 


19¢33874 Ensure that all attached VM disks are encrypted 


Criticality 
571fd013- 


Ensure that Azure Virtual Network subnet is configu. 


Criticality 


Ensure that all unattached VM disks are encrypted 


criticality 


Ensure default network access rule for Storage Acc... 


criticality 


9de9e0a7 


9964e9f0- 


CloudView provides pre-configured dashboards, and allows 
creation of custom dashboards 


Dashboard 


Last24Hrs v 


RESOURCE DISTRIBUTION BY PROJECT ID 


TOP 5 FAILED CONTROLS 


CONTROL 


Ensure VM disks for critical VMs are encrypted with... 


Criticality 


Ensure VPC Flow logs is enabled for every subnet i... 


Criticality 


Ensure “oslogin" is enabled for VM instance 


Criticality 


Ensure that instances are not configured to use def... 


Criticality 


qualys- 
demo- 
eumedh- 


RESOURCES FAILED 


T 


RESOURCE DISTRIBUTION BY TYPE 


TOP 5 ACCOUNTS BY FAILED CONTROLS 


PROJECT 


gep-qu 
qualys: 


qualys 


Subnetworks Networks 


CONTROLS FAILED 


62 
44 


CloudView Monitor 


CloudView Monitor Failed remediable 


evaluations 


CloudView ~ 


DASHBOARD RESOURCES MONITOR POLICY REPORTS RESPONSES  CONFIGURATIO 
a 
Amazon Web Servi ~~ 


y Q Search. 2 Last24Hrs v 
Use the | 


TOTAL EVALUATIONS 


FAILURES BY CRITICALITY 
dropdown 


| Total Controls Evaluated 


to switch to | 39 
a different 


0 Failed Evaluations 
MEDIUM 
cloud POLICY 


1-50of 97 
provider Dev HIPAA AWS 
CIS Amazon Web... CONTROL NAME CRITICALITY SERVICE 
AWS Best Practic... 


Ensure access keys unused for 90 days or greater are disabled IAM 1 5 
AWS Database S... Policy : Test AWS Custom Policy 
AWS Lambda Be... 


SECURITY POSTURE 


— 
Total Resources: 6 
3 more... 
Smore ¥ 
Ensure access key1 is rotated every 90 days or less 


CONTROL RESULT Policy : Test AWS Custom Policy 


Total Resources: 6 


Use CloudView Monitor to assess your resources for misconfigurations and 


non-standard deployments 


Use the search 


CloudView Monitor oe 


CloudView ~ DASHBOARD RESOURCES POLICY 


Amazon Web Services ~v / 


2 control.criticality:HIGH and control.result:FAIL 


/ 7 TOTAL EVALUATIONS 


Total Controls Evaluated 


policy.name:"AWS Best Practices Policy" and control.result:FAIL 


service.type:"IAM" and control.result:"FAIL" and control.criticality:"HIGH" 


CloudView Monitor — Control Posture 


Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console... 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 


Ensure console credentials unused for 90 days or greater are disabled 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 


Ensure access keys unused for 90 days or greater are disabled 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 


Ensure access key1 is rotated every 90 days or less 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 


Ensure access key2 is rotated every 90 days or less 
Policy : CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 


IAM 


IAM 


IAM 


IAM 


IAM 


9 
ee 
Total Resources: 9 


eee 
Total Resources: 9 


10 15 


eS 
Total Resources: 25 


4 21 
EE 
Total Resources: 25 


3 2 
SE 
Total Resources: 5 


CloudView Monitor shows a list of controls, criticality, service to which the control 
belongs to, and the security posture — number of resources passing and failing a 
control 


CloudView Monitor — Control Details 


< Control Evaluation: Ensure CloudTrail is enabled in all regions 


CID-19 Ensure CloudTrail is enabled in all regions 


Policy: 


Evaluat 


Manual 
Remedi 


CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 


ion: Check CloudTrail is enabled for "ALL' region capturing all types of Management Events 


mone View Steps 


View Less A 


Platform: AWS 
Service: CloudTrail 


Criticality: 


>< control.criticality:HIGH and control.result:FAIL 


Last24Hrs v 


Actions (0) ¥ 


RESOURCE 


457 


Controls details include: 


Control ID and statement 
Policy 
Evaluation criteria 


Platform (AWS, Azure, or GCP) 


1-1of 1 


ACCOUNT ID EVALUATED ON RESUL 


457 2 hours ago Evidence 


Service 
Criticality 
Remediation Steps 


List of resources passing and failing the control 


CloudView Monitor — Control Evidence 


4577 4577 2 hours ago FAIL 


EVIDENCE DETAILS MANUAL REMEDIATION STEPS View in AWS Console Re-ev 


Multi-region CloudTrail not found or Management Events are not enabled. 4 


Evaluation Summary 
First Evaluated: June 11, 2020 10:05 AM Last Reopened: September 18, 2020 6:40 PM 
Last Evaluated: September 21, 2020 6:49 PM Last Fixed: = 


Evaluation Criteria 


Multi Region Cloudtrail Found 


Cloudtrail Logging Status 
Cloudtrail ARN 


Management Events 


Use Evidence to determine why a control has failed evaluation 


CloudView Monitor — Remediation Steps 


457 


- 457 


EVIDENCE DETAILS MANUAL REMEDIATION STEPS 


Perform the following to enable global (Multi-region) CloudTrail logging: 


Via the management Console 


1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail 


2. Click on Trails on the left navigation pane 
3. Click Get Started Now, if presented 


Click Create trail 

Enter a trail name in the Trail name box 

Set the Apply trail to all regions option to Yes 
Specify an S3 bucket name in the S3 bucket box 
Click Create 


4. If 1 or more trails already exist, select the target trail to enable for global logging 


5. Click the edit icon (pencil) next to Apply trail to all regions, Click Yes and Click Save. 


6. Click the edit icon (pencil) next to Management Events click All for setting Read/Write Events and Click Save. 


Via CLI 


# aws cloudtrail create-trail -name <trail_name> —bucket-name <s3_bucket_for_cloudtrail> —is-multi-region-trail 


2 hours ago Evidence 


View in AWS Console 


Re-evaluate 


View Remediation Steps to determine how a control failure can be mitigated — using the GUI or CLI 


Lab 5 and 6 


Lab 5 — CloudView Dashboard 
Lab 6 — CloudView Monitor 


Please follow pages 12 — 15 from the Lab Tutorial 
Supplement 


15 min. 


CloudView Policies and Controls 


CloudView Policy 


CloudView ~ DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Policy 


13 


Total Policies 


PROVIDER 
GCP 
AZURE 
AWS 


Controls 


Q Search for policies... 


Actions (0) v 


POLIGY TITLE PROVIDER 


Azure Database Service Best Pract... 


GCP Kubernetes Engine Best Practi... 


GCP Best Practices Policy 


CREATED BY 


SYSTEM 
September 16, 2020 8:38 AM 


SYSTEM 
July 23, 2020 8:36 AM 


SYSTEM 
September 16, 2020 8:37 AM 


1-13 of 13 


MODIFIED BY 


SYSTEM 
September 16, 2020 8:38 AM 


SYSTEM 
July 23, 2020 8:36 AM 


SYSTEM 
September 16, 2020 8:37 AM 


CloudView policies are collection of controls. A control represents the evaluation of a 
datapoint on a monitored resource. 


Policies may be system-defined or user-defined. 


CloudView Policy 


Use queries to 
search for policies 


DASHBOARD RESOURCES MONITOR POLICY REPORTS een 


Policy Controls 


>< provider:AWS and policyType:User Defined 


[ | Actions (0) v New 


POLICY TITLE PROVIDER CREATED BY 


CloudView Controls Select provider to 


view controls 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CO R 
SS 


Policy Controls 


Q Search for controls... 


PROVIDER TOTAL CONTROLS 
A Microsoft Azure 117 


© Google Cloud Platform Tg 


Amazon Web Services 1 72 


CloudView Controls 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Policy Controls 


>< provider: "AWS" 


ED 1-500f 172 
CID CONTROL NAME PLATFORM TYPE MODIFIED BY CRITICALITY 
1 tt Ensure multi-factor authentication (MFA) is enabled for all IA... awS System Defined SYSTEM 
Service: IAM 6 days ago 

2 fo? Ensure console credentials unused for 90 days or greater are... aws System Defined SYSTEM 
Service: IAM 6 days ago 

3 fo] Ensure access keys unused for 90 days or greater are disabled awS System Defined SYSTEM 
Service: IAM 6 days ago 


Each control has a control ID, control name (statement) and criticality 


CloudView — Control Summary 


| < Control Details: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console pass... 
| . 


View Mode 
Summary 


Summary 


Specification Ensure multi-factor authentication (MFA) is enabled for all IAM users that... 
Policies Criticality: 

Evaluation 

Rationale Identification 

Manual Remediation CID: 


Service: 
References 


Provider: 


Created On: October 22, 2019 1:45 PM 


Modified On: September 16, 2020 8:38 AM 


Control summary shows information such as control specification, associated 
policies, evaluation criteria, rationale, manual remediation steps and references 


CloudView — Control Specification 


< Control Details: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console pass... 


View Mode , g 
Specification 

Summary 
Specification Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, 

l they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for 
Policies all accounts that have a console password. 
Evaluation | CIS reference: CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018: Recommendation #1.2 
Rationale 
Manual Remediation 
References | 


CloudView — Control Policies Information 


< Control Details: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console pass... 


View Mode KEN 
Policies 


Summary 
Specification 
Policies POLICY TITLE PLATFORM CREATED BY 


Evaluation AWS High Sev Policy aws quays2nd84 


September 22, 2020 12:00 PM 
Rationale 


CIS Amazon Web Services Foundation.. aws SYSTEM 


Manual Remediation September 16, 2020 8:38 AM 


The Policies tab shows the policies to which a specific control belongs 


MODIFIED BY 


quays2nd84 
September 22, 2020 12:00 PM 


SYSTEM 
September 16, 2020 8:38 AM 


CloudView — Evaluation Information 


| < Control Details: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console pass... 


View Mode . 
Evaluation 


Summary 


Specification Evaluation Description 
Policies A 
Check IAM Users having console password enabled has MFA Set to True. 


Evaluation Changes in account credentials may take upto 4 hours to get reflected in the AWS IAM evaluations. The time taken depends on when the last credential report was 
fetched by the Cloud View service and the time when changes were made in AWS IAM 


Rationale 
Manual Remediation 
Evaluation Message 


This message will appear in control evaluation details 


References 


Control Pass Message 


Control Fail Message 


The Evaluation tab shows the criteria used to evaluate a control pass/fail and 
the the associated messages 


CloudView — Control Rationale 


| < Control Details: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console pass... 


View Mode . 
Rationale 


Summary 


Specification Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have 
knowledge of a credential. 

Policies 
Evaluation 
Rationale 


Manual Remediation 


References 


The Rationale tab explains the importance of a control pass 


CloudView — Control Remediation Steps 


Se Control Details: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console pass. 


| 


View Mode er 
Manual Remediation Steps 

Summary 
Specification Perform the following to enable MFA : 

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/. 
Policies 

2. In the navigation pane, choose Users. 
Evaluation 3. In the User Name list, choose the name of the intended MFA user. 
Rationale 4. Choose the Security credentials tab. Next to Assigned MFA device, choose the edit icon. 


5. In the Manage MFA Device wizard, choose A virtual MFA device, and then choose Next Step. 
Manual Remediation 3 aay: 2 5 jn 3 5 vas 
IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is 


References configuration key’ that is available for manual entry on devices that do not support QR codes. 


Remediation steps outline how a control failure can be mitigated using the GUI or CLI 


CloudView Controls - Customization 


| Poles Controls 


>C provider: AWS” 


Some controls can 


CID CONTROL NAME 


Ensure multi-factor authentication (MFA) is enabled for all IA... 


Ensure console credentials unused for 90 days or greater are... 
Service: IAM 


Some controls allow for customization, these can be used as a 
template for creating new controls 


CloudView Controls - Customization 


Policy Controls 


24 provider: "AWS" 


criticality of a 


CID hubs NAME E control 
1 re) Ensure multi-factor authentication (MFA) is enabled for all IA... 
Service: IAM 
2 ke; Ensure console credentials unused for 90 days 
Service: IAM Quick Actions v 
3 Ee; Ensure access keys unused for 90 days or grea view Create aco py 
Service: IAM i 
Change Criticality and customize 
4 to} Ensure access key1 is rotated every 90 days or A 
Create Copy 


Service: IAM 


CloudView Controls — Change control criticality 


Change Criticality 


Depending the impact, you want this control to have, you can set the criticality to High, Medium, Low. 


© (System Default) 
Controls with severe impact. 


Controls with medium impact. 
LOW 


Controls with minimal impact. 


Note: When you change criticality, the revised control criticality for existing evaluations is effective on Monitor view upon next 
connector run. 


Change Criticality 


Criticality of all controls can be changed 


CloudView Controls — Change Evaluation 
Pare evaluation 


Provide details such as the description to be displayed for evaluation, the evaluation 
parameter and the text for the messages to be displayed on control evaluation. 


Evaluation Parameter 


The evaluation parameter definition decides if a control will Pass or Fail. 


Last accessed AWS console days 
Operator Expected Value 


Greater than eqt 90 


Example : 25, 16, 10 


Change the Operator and/or Expected Value to affect how the 
control evaluates a resource 


CloudView Controls — Customized Control 


Summary 
lk Ensure console credentials unused for 90 days or greater are disabled 
jen Criticality: 
Identification 
CID: 92500 
Service: IAM 
Provider: aws 


New control ID 


Lab 7 and 8 


Lab 7 - CloudView Policy 
Lab 8 - CloudView Controls 


Please follow pages 16 — 19 from the Lab 
Tutorial Supplement 


15 min. 


Session Break 


30 min. 


CloudView Responses 


Alerting Response 


e Get notified when critical controls fail evaluation 
e Receive alerts on: 
Email 


PagerDuty 
Slack 


Alerting Response — Create Action 


Create New: Action | 


| 
| 


| Basic Information 
| 
| Action Name * 


| Email IT Admins 
| ar 
| Description * 


Send email to IT admins when action is triggered. 


Select Action * 


Send Email(Via Qualys) 
Post to Slack 


Send to PagerDuty 


Available actions: 


Send email (via Qualys) 
Post to Slack 
Send to PagerDuty 


Alerting Response — Create Rule 


Create New: Rule 


Rule Details 


Provide the following information to create the rule 


Rule Information 


Rule Name * 


Alert for failed high severity S3 controls 


Rule query to match 


Query source 


Description * 


| This rule will trigger when a high severity control of S3 fails evaluation 


1926/2000 characters remaining 


AWS Monitor vw | >< control.criticality:HIGH and control.result:FAIL and service. type:S3 Q 


Sample Queries 


Trigger Criteria 


Trigger criteria 


Provide the match criteria 


Trigger Criteria 


Assigned action 


Single Match 


Action Settings 


e an appropriate alert action 


Email Cloud Admins ~ 


Alerting Response — Create Rule 


Trigger Criteria 
Provide the match criteria 


Trigger Criteria * 


a? 


Single Match 
One alert for one match 


Time-Window Count Match 
e.g. Alert only when there are 3 matches within 15 mins window 


Time-Window Scheduled Match 
e.g. Alert with all matches in a scheduled window from 9am-5pm 


Single match — one alert for one match 
Time-window count match — alert when X matches occur within Y mins/hours 


Time-window Scheduled match — alert for all matches in a defined time window 


Alerting Response — Activity 


Responses 


66 


Total Activities 


RULE NAME 
Alert for failed hi... 


ACTION NAME 
Email Cloud Adm... 


EMAIL RECIPIENTS 
@dqualys.c... 


STATUS 
SUCCESS 


Remediation Activity Rule Manager Actions 


Gi Search for alerts 


RULE NAME 


Alert for failed high severity S3 controls 
This rule will trigger when a high severity control of S3 fails evaluation 


Alert for failed high severity S3 controls 
This rule will trigger when a high severity control of S3 fails evaluation 


Alert for failed high severity S3 controls 
This rule will trigger when a high severity control of S3 fails evaluation 


Alert for failed high severity S3 controls 
This rule will trigger when a high severity control of S3 fails evaluation 


Alert for failed high severity S3 controls 
This rule will trigger when a high severity control of S3 fails evaluation 


STATUS v 


Success 
a few seconds ago 


Success 
a few seconds ago 


Success 


a few seconds ago 


Success 
a few seconds ago 


Success 
a few seconds ago 


AGGREGATE 


Yes 


Triggered rule 


ACTION 


Email Cloud Admins 


Email Cloud Admins 


Email Cloud Admins 


Email Cloud Admins 


Email Cloud Admins 


MATCHES 


1 


Alerting Permissions 


Role Creation Turn help tips: On | Off x 
Step 2 of 3 Edit permissions for this role 
1 Role Details JS Role Permissions by Modules (12) Remove All 
(2) Permissions oS CloudView Remove 
3 Review And Confirm > Manage Remediation Permissions (1 of 1) 


v Alerting Permissions (7 of 7) 
Alerting Access 
Create, Edit, Delete your own Action 
Edit any Action 
Delete any Action 
Create, Edit, Delete your own Rule 
Edit any Rule 


Delete any Rule 


» CLOUDVIEW Permissions (4 of 4) 


Lab 9 — Responses 


Please follow pages 20 - 22 from the Lab 
Tutorial Supplement 


15 min. 


CloudView Remediation 


Remediation 


e Remediate resource misconfigurations 
e Perform actions on cloud resources 


e Remediate AWS, Azure, and GCP misconfigurations 


Role Permissions by Modules (5) Remove All 


CloudView Remove 


Y Manage Remediation Permissions (1 of 1) 


Manage Remediation (Not Applicable for Readonly Permission) 


> CLOUDVIEW Permissions (4 of 4) 


Required Permissions 


Role Permissions by Modules (5) Remove All 


R 
CloudView emove 


Y Manage Remediation Permissions (1 of 1) 


Manage Remediation (Not Applicable for Readonly Permission) 


> CLOUDVIEW Permissions (4 of 4) 


e Only available to users with Manager role or sub-user role with 
“Manage Remediation” permission 


To enable remediation 


1. Enable remediation for the connector 


2. Assign write access for the connector 


Configure Connector for Remediation 


SHE elnino eel Enable Remediation: 
Polling Frequency 
Configure the interval at which the connector should fetch data from AWS cloud provider. © C reate new or ed it 
Hours 7 Minutes existing con nector 
c 8 
e Enable the 
Authorization Details Remediation function 
Qualys AWS ID 
| 805 
External ID * 


| 1611215659084 


Cross Account ARN * 


arn:aws:iam::6361 :role/QualysCloudViewRole2 


Y| Enable Remediation <———— 


Remediation allows you to resolve misconfigurations and execute actions against resource. 
have write access to the AWS account for which you enable remediation. 


Permissions required on AWS 


e ec2:RevokeSecurityGroupIngress 

e ec2:AuthorizeSecurityGroupIngress 
e _ec2:DisassociatelaminstanceProfile 
e _ec2:Stoplnstances 

e ec2:ModifySnapshotAttribute 

e ec2:ModifylmageAttribute 

e s3:PutBucketPublicAccessBlock 


e s3:PutAccountPublicAccessBlock 


s3:PutBucketVersioning 
rds:ModifyDBInstance 
rds:ModifyDBClusterSnapshotAttribute 
rds:ModifyDBCluster 
redshift:ModifyCluster 


Permissions required on Azure 


e Microsoft.Sql/servers/firewallRules/delete 

e Microsoft.Storage/storageAccounts/write 

e Microsoft.Storage/storageAccount/blobServices/containers/write 
e Microsoft.Network/networkSecurityGroups/write 

e Microsoft.Network/networkSecurityGroups/write 


e Microsoft.Web/sites/write 


Permissions required on GCP 


e compute.firewalls.update 

e compute.instances.setMetadata 

e storage.buckets.setlamPolicy 

e cloudfunctions.functions.setlamPolicy 
e bigquery.datasets.update 

e cloudsql.instances.update 


e cloudkms.cryptoKeys.setlamPolicy 


Remediable Failed Evaluations 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Q Search... 


TOTAL EVALUATIONS 


Last 24 Hrs 
FAILURES BY CRITICALITY 
N 17.3K 


6.00K 


3.00K K] m | 61 4 OTT 


MEDIUM LOW 


REMEDIABLE 
@ pass.......... 7.22K 


@ FAVL..........10.1K 


Failed Evaluations 


The Monitor tab shows the number of remediable failed evaluations 


Remediate Resources 


< Control Evaluation: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 


CID-41 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 


Policy: CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 Platform: 


Evaluation: Check no security allows ingress from 0.0.0.0/0 to port 22. Service: 


Manual 
Remediation: 


View Steps Criticality: 


>C isRemediable:true and control.result:FAIL 


[| Actions (0) v 1-50 of 87 


RESOURCE ACCOUNT ID REGION EVALUATED ON REMEDIATION 


sg-0c53f. N. Virginia 39 minutes ago Evidence 
£ iraini i Evidence 
sg-0a223; N. Virginia 39 minutes ago 


Click the “Remediate Now” button next to a control to fix the failure 


Remediate Resources 


Remediate Resources 


Applicable Resource (1) 
sg-0c53f5d 


Action 


e Deletes a rule, when Protocol is ALL(*) or TCP (Port is 22), and source is 0.0.0.0/0 or ::/0. 
e Deletes a rule and creates two new rules, when Protocol is TCP Port is given in range X-Y i.e X<22<Y, and source is 0.0.0.0/0 or ::/0. 


Impact 


Remediation may result in user losing SSH access, whose IP is not whitelisted in rules. 


Comments * 


Removing rule that's causing control failure 


Za 
206/250 characters remaining 


|, , authorize to execute remediation actions on the selected resources. 


Remediate resources: 
e View resource id 

e View actions 

e View impact 


e Provide comments 


Resource Actions 


DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


List View 


Instance v Q Search for resources discovered... + Last 24 Hrs 


473 304 0 5 


Without Agents With Public IP Docker Hosts With Vulnerabilities 


Resource.type: Instance 3 v | Instance Vulnerability | Group By:... Vv | | Y Filters v 1-50 of 473 


EC2 INSTANCE ID ACCOUNT ID REGION STATE FIRST DISCOVERED ON VULNERABILITIES ACTION 


Bahrain Running October 26, 2020 1:42 PM 
Tokyo Running October 26, 2020 1:42 PM 


Remediation Activity History 


Remediation Activity Activity Rule Manager Actions 


Q Search... 


Amazon Web Services Microsoft Azure 


Google Cloud Platform 


ACTION STATUS CONTROL RESOURGE 


n 41 
Control Remedi... Success 


sg-086bee889d870... 


Ensure no security … 


Remove IAM Pr... Success 


Stop Instance Success 


i-0e844159f50dc02... 


i-0e844159f50dc02... 


RESOURCE TYPE 


Security Group 


Instance 


Instance 


@ Last 30 Days 


1-3of 3 


CONNECTOR TRIGGERED BY TRIGGERED ON 


AWS 2 
September 20, 2021... 
Ei 


September 20, 2021... 


September 20, 2021... 


Lab 10 - Remediation 


Please follow pages 23 — 27 from the Lab Tutorial 
Supplement 


10 min. 


CloudView Exceptions 


Exceptions 


e Exempt certain cloud resources from control evaluations 


e Temporarily change the status of a resource from Failed to PassE (Pass 


with Exception) 


Create Exception 


CID-47 Ensure access logging is enabled for S3 buckets 


Policy: AWS Best Practices Policy Platform: AWS 
Evaluation: Control checks whether the logging is enabled on S3 buckets. Service: s3 
Manual 7 E ee 
Remediation: Criticality: 
resource. id:"cloudviewdemobucket” and account.id:”636 m N 
Actions (1) v 
RESOURCE ACCOUNT ID EVALUATED ON 


cloudviewdemobucket EE | 


Quick Actions Vv 


View Resource Details 

Re-evaluate 

Create Exception <q—————— 

Show other control failures for this resource 


Show all failures for this account 


5 minutes ago 


Create Exception 


Basic Details 


Provide the basic details for exception creation. 


Exception Reason 


Exception Name * 
Logging not required for cloudviewdemobucket 
Reason * 
False Positive @ Risk Accepted Other 


Explanation * 


cloudviewdemobucket is for demo purposes only - no logging required 


a 
183/250 characters remaining 


Exception Start Date * Exception End Date * 


09/20/2021 09/21/2021 


Create Exception 


Scope Information 


The following scope will be associated with the exception. 


Scope * 


@) Resource Connector 


RESOURCE 


cloudviewdemobucket 


Account Id: 6362 B E 


Exception applies only 
for selected resource 


Create exception for all 
resources associated 
with connector 


TYPE SERVICES 


S3 Bucket $3 


Create Exception 


CID-47 Ensure access logging is enabled for S3 buckets View Less A 
Policy: AWS Best Practices Policy Platform: AWS 
Evaluation: Control checks whether the logging is enabled on S3 buckets. Service: S3 


Manual B a ene 
Remediation: criticality: EEN 


resource. id: "cloudviewdemobucket” and account.id:"636 “E ? Last 24 Hrs v 


1-1of 1 
RESOURCE ACCOUNT ID EVALUATED ON RESULT 
cloudviewdemobucket 636 E 3 hours ago | PassE | Evidence 


Pass with Exception 


Lab 11 — Exceptions 


Please follow pages 28 - 30 from the Lab Tutorial 
Supplement 


10 min. 


CloudView Reports 


fe) Qualys. 


CloudView Reports 


Two types of reports: 


e Use the “Reports” function to generate downloadable CSV or PDF 
reports 
Supports use of queries to filter data at run time 


e Use the “On-screen reports” function to generate on-screen reports 
Supports mandate-based reporting 


CloudView - Report 


STEPS 2/3 


Report Details 
Report Source 


3 Summary 


Report Source 


Report Template 
Assessment Report 


Cloud Provider * 


AWS 


Select Policies 


AWS Best Practices Policy 


Select Connectors 
@ All Connectors Groups / Connectors 


Search Query 


control.criticality:HIGH 


Select cloud 
provider 


Include one or 
more policies 


Include required 
connectors 


Use queries to 
filter results 


CloudView — On-Screen Report Template 


Basic Information 


Provide basic details for the report generation. 


Report Title * 
AWS Report 


Report Description 


Cloud Provider * 
AWS 
Report Type 


@ Policy Mandate 


Select Policies * 
AWS Best Practices Policy 


CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018 


Include multiple 
policies in report 


Choose Connectors 


Tell us the connectors you want to analyze for the report. 


You can select either groups, connectors, or a combination of groups 
report against all matching connectors. 


Groups 
Connectors 

AWS Connector AWS Connector 2 
| Cancel | Previous | Next 


Include multiple 
connectors/groups in report 


CloudView — On-Screen Report 


= Report Data - Azure CIS Report 


Detailed Report 


CIS Microsoft Azure Foundations Benchmark 


50001 Ensure that Data encryption is set to ON for a SQL database 


[S 


50002 Ensure no SQL Servers allow ingress from Internet (ANY IP) 


[S 


50003 Ensure that Adaptive Application Controls is set to On 


[S 


50004 Ensure that Automatic provisioning of monitoring agent is set to On 


[S 


On-screen reports are interactive — click a control to view associated resources 


Lab 12 - Reports 


Please follow page 31 from the Lab Tutorial 
Supplement 


10 min. 


CloudView Access Management — Grouping 
Connectors 


Access Management — Create Groups for Connectors 


Assign Group to Connector 


Begin typing to create a new group or select existing groups. 


Prod Connectors 


To restrict access to 
Connectors, first 
create groups and 
assign them 


Cancel | Save 


Grouping connectors allows for easier management. A group 
may contain multiple connectors and a connector may belong 
to multiple groups. 


Access Management — Assign Groups to Connectors 


Configure Base Account Group by... v 


AWS Connector Prod Connectors 


AWS Connector 2 QA Connectors 


Access Management — Assign Permissions to Users 


|< Access Details: quayseut | Limit user scope using: 


Access Details e Connector groups, 


Assign the connectors and regions to define the scope for quays8cu1. and/or 
Groups 
Manage the access based on groups s Con nectors and 
Access restriction : 
QA Connectors reg IONS 
by group 
Connectors and Regions 
Manage the access for each cloud provider by assigning connectors or regions * If no g rou ps a re 
aws Amazon Web Services assigned to a sub user, 
~— Manage AWS access by accounts and regions 


the sub user can access 


an all connectors 
Access restriction by sus 
P | AWS Connector 2(882. 
connector and region 
/ Regions 


N. Virginia(us-east-1) 


CloudView Access Management — Creating Users 


User Permissions 


e User with Manager Role 
e Most privileged role, has full permissions 


e Sub Users 


e All privileges — full access in CloudView except creating and managing other users 


e Reader privileges — can only view data in CloudView 


User Permissions 


Operations Manager Sub User with Sub User with 
Role All Privileges Reader Privileges 


Create new users 


Grant access to Sub-Users Yes No No 
Update Access of Existing Users Yes No No 
Create and assign Groups to Connectors Yes No No 
Manage Connectors Yes No No 
Manage Policies and Controls Yes Yes No 
Customize Controls Yes Yes No 
Reports Yes Yes View only 


Dashboards Yes Yes Yes 


Access Management 
To create user with limited privileges: 
1. Create User from Administration Module 
e Create a new user of type Reader 
2. Create Role with limited permissions 
e Create a new role that provides access to CloudView 


3. Assign Role to User 


e Replace the Reader role with the new role 


Access Management — Create User 


Administration v 


Create user from 


Users Action Log Administration module 


[z=] User Management User Management Role Management Defaults 


Search for users by entering properties... 


) w | Create User w | 


l Create Reader User f 


[_] Username l lodules First Name Last Name 
Create Manager User 


To create a new CloudView user with limited access, begin by creating a 
Reader user from the Administration module 


Access Management — Create User with All Privileges 


Role Creation Turn help tips: On |Off x 
To create a sub user 
Step 2 of 3 Edit permissions for this role with all privileges, 
1 Role Details I Select modules which this role should have access. For each role you can define which permissions would be granted In cl u d e : 
EZ Permissions / Modules Search for module and add to list { ê CloudView U | Access 


3 Review And Confirm 
Role Permissions by Modules (10) h Remove All 


e CloudView API 
CloudView i ae A ccess 


> Manage Remediation Permissions (1 of 1) 
» Alerting Permissions (7 of 7) 
Y CLOUDVIEW Permissions (2 of 4) 
CLOUDVIEW UI Access 
CLOUDVIEW API Access 
©) CLOUDVIEW Readonly Access 


©) CLOUDVIEW API Readonly Access 


Cancel Previous | Continue | 


Access Management — Create Read Only User 


Role Creation Turn help tips: On |Off x 
To create a sub user 
Step 2 of 3 Edit permissions for this role with read-only privileges, 
4 Role Details I Select modules which this role should have access. For each role you can define which permissions would be granted in cl u d e : 
(2) Permissions e Modules Search for module and add to list v e CloudView U | Access 


3 Review And Confirm 
Role Permissions by Modules (12) Remove All 


e CloudView API 
CloudView — Access 


> Manage Remediation Permissions (1 of 1) 


» Alerting Permissions (7 of 7) e CloudView Readonly 
¥ CLOUDVIEW Permissions (4 of 4) Access 

CLOUDVIEW UI Access 

CLOUDVIEW API Access ° CloudView API 


CLOUDVIEW Readonly Access Readon ly Access 


CLOUDVIEW API Readonly Access 


Cancel Previous | 
a | 


Access Management — Assign Role to User 


User Edit: CloudView User (quays8cu1) 


Turn help tips: On | Off x 
Edit Mode Edit role(s) and scope 


User Details ( Allow user full permissions and scope (The user will have full access to everything) 


B 7 Each role grants you a set of permissions that will apply to the objects you have access to. 
Profile Settings aes 
| New role Search unassigned roles 
Roles And Scopes m 
Assigned roles 


Removeall * Unassigned roles 


Add all * 
Action Log CLOUDVIEW User <——— Remove AUDITOR Add 
Account Activity CAAPI Access Add 

CA MANAGER Add 
CA UI Access Add 
CERTVIEW User Add 


After creating the role and the user, edit the user's profile and replace the 
default role with the CloudView role 


Lab 13 and 14 


Lab 13 - User Management 
Lab 14 - Access Management 


10 min. 


Please follow pages 32 - 35 from the Lab Tutorial 
Supplement 


CloudView APIs 


(e) Qualys. 


CloudView APls 


e Utilize many CloudView features and integrate with other products 


using APIs 
e Use Swagger tool to access the REST APIs 


e Access the Swagger UI using the URL: 
http://<QualysURL>/cloudview-api/swagger-ui.html 


CloudView APIs 


Azure Connector 2?''s for the Azure Connectors 


KEN /rest/v1/azure/connectors Get the list of connectors 
POST /rest/v1/azure/connectors Create a new connector 


Hata /rest/vl/azure/connectors Delete the provided connectors 


k 
KEN /rest/v1/azure/connectors/{connectorId} Get the details of connector 


PUT /rest/v1/azure/connectors/{connectorId} Update the existing connector 


CloudView APIs 


IS 


| post | /rest/v1/azure/connectors Create a new connector a 


Parameters Ed it pa ra m ete rs 
and execute 


Name Description 


connectorBody * ‘**""** | 
Click here to know more about parameters. 
(body) 


Example Value Model 


“applicationId": "string", 
"authenticationKey": "string", 
"description": "string", 
"directoryId "string", 

"7 sGovClou true, 

"name": "string", 


“pollingFrequency" 
"hours": 0, 
"minutes": 0 
}, 
"remediationEnabled": true, 
“subscriptionId": "string" 


Parameter content type 


application/json v 


Responses Response content type | */* {v 


CloudView Postman Collection 


e Appropriate for testing/consuming APIs based on specifications 


e Available on https://github.com/Qualys/CloudView-APl-Postman- 
Collection 


Secure Infrastructure as Code 


Secure Infrastructure as Code 


e Secure your code before it gets deployed 
e Improves security posture by preventing misconfigurations 


e Upload code for scanning via CLI or API 


Infrastructure as Code — Supported Templates 


e AWS, Azure, and GCP Terraform templates 
e AWS, Azure, and GCP Terraform plan 


e AWS CloudFormation Template 


Infrastructure as Code — Launch Scan 


Username and 


Platform URL File name 
password 
$ qiac scan -a https://qualysguard.qg1.apps.qualys.in/ -u quay -p m87 m -n scan1 -d 20191912gl-Demo.yml 
Validating file "20191912gl-Demo.yml" 
Validation completed successfully 
Uploading the file "20191912gl-Demo.yml" 
Scan launched successfully. Scan ID: 5ebaac@8-b9af-44ad-b887-fee7592b7fa2 
Waiting for 30 seconds to check the scan status 
Fetching the scan status with scan ID: 5e5aac08-b9af-44ad-b887-fee7592b7fa2 
The scan status is: FINISHED Scan results 


Fetching the scan result with scan ID: 5e5aac@8-b9af-44ad-b887-fee7592b7fa2 
Result Summary 


4+---------------- Fee Fee Fennen +--------- Fenn + 
| Check Type | Passed | Failed | Failed Stats | Skipped | Parsing Errors | 
+---------------- Fe +-------- Fennen +--------- Fennen + 
| cloudformation | 7 | 7 | high=7, low=@, medium=0 | @ 2) | 
dee de de Fennen de dee + 


Infrastructure as Code — Scan Results 


Cloudformation 


——-+ 


———+ 

| CKV_AWS_46 | 
l 

| CKV_AWS_46 | 
l 


| CKV_AWS_46 | 
| 
| CKV_AWS_46 | 


| CKV_AWS_46 | 


Checks 


Ensure 


Ensure 


Ensure 


Ensure 


Ensure 


hard-coded 


hard-coded 


hard-coded 


hard-coded 


hard-coded 


secrets 


secrets 


secrets 


secrets 


secrets 


in 


in 


EC2 


EC2 


4------------- de 4+——------------------- 
| Criticality | Result | File Path Resource 
de 4+------- de 

| HIGH | FAILED | /20191912gl-Demo.yml | AWS::EC2:: Instance 
| HIGH | FAILED | /20191912gl-Demo.yml | AWS::EC2::Instance 
| HIGH | FAILED | /20191912gl-Demo.yml | AWS::EC2::Instance 
| HIGH | FAILED | /20191912gl-Demo.yml | AWS::EC2::Instance 
| HIGH | FAILED | /20191912gl-Demo.yml | AWS::EC2::Instance 


.MyWindowsMachine 

. MyWindowsMachine1 
. MyWindowsMachine2 
.MyWindowsMachine3 


.MyAmazonLinuxMachi 


securing EC2 Instances with Qualys 


fe) Qualys. 


securing EC2 Instances with Qualys 


1. 


2. 


Setup Qualys Connector 
Deploy Qualys Sensors 
Assess EC2 Instances 


Run Reports 


Setup Connectors 


Polling Frequency 


e U se th e sa m e CO n n ecto r as | Configure the interval at which the connector should fetch data from 
Edit EC2 Con EC2 Co 


Hours Minutes 


C | O u d Vi ew AssetView v 


Dashboard Assets Templates Connectors 


e Discovers EC2 and VPC ‘mm Connector Management aws Mavs 


{v | Create EC2 Connector | | Configure Base Account | | Toggle Filters | 
assets Name 


Name Account ID Last Sync 


State © SupportAccount 4944 3 hours ago 


e Can be configured to 


(C) Queued 


automatically tag and arn:aws:iam::636 ‘role/QualysCloudViewRole geene 


Y| Create Connector in AssetView <4 


activate EC2 Instances 


Select to automate creation of same connector in AssetView. Ensurt 
permissions in AssetView module for the connector to be created in 


AWS Metadata 


simawin2o2 E | , 
R £2 Information e AssetView Connector 


Asset Summary 


General 
Open Ports 

Reservation ID:  r-072d7di ( O e( S ag S a n 
Installed Software Instance ID: i-0c9084E 

Instance Type: t2.micro 


Vulnerabilities Created Date: 2019-05-21 08:46:28 
State: STOPPED 


en Instance state updates 


Image (AMI) ID: ami-0d12e: 


EC2 Information Account ID: 49444. 


File Integrity Monitoring Location 
7 Ae . 

=n ezen aaa e AssetView Connector and 
Patch Management Zone: VPC 

Subnet ID: subnet-3: 

Network 1 

Cloud Agent collection 

VPC ID: vpc-834bl 

DNS (Private): ip-172-31-44-129.us-west-2.compute. internal 

DNS (Public): = 


a . 

nege General, Location, Network 
IP Address (Private): 172.31.44.129 

IP Address (Public): — 


Group ID: sg-c9E r 

Group Name: All port and protocols are allowed | n fo rm ati O n a n d l a g S 
EC2 Instance Tags 7 

Department Operation 

Owner 

Email 


Name sim-win2012- 


Scanning in AWS 


e Deploy Cloud Agents on EC2 Instances, or 


e Deploy scanner appliances 


@ Qualys Virtual Scanner Appliance (Pre-Authorized 


Scanning) HVM 
Q ug lys. Version 2.5.36-1-PA | Sold by Qualys, Inc. 


58 external reviews 


The Qualys Virtual Scanner Appliance extends the reach of the Qualys Cloud Platform's integrated 
suite of security and compliance SaaS applications into the internal networks of both Amazon VPC 
and classic EC2-Classic. IMPORTANT NOTE: This AMI should not be used with 1-Click Launch, as 
additional... 

Linux/Unix, Other QAL 2.0 - 64-bit Amazon Machine Image (AMI) 


EC2 Vulnerability Scan 


e Provide the following: 


Launch EC2 Vulnerability Scan 


° Connector 


General Information 


e P | atfo rm Give your scan a name, select a scan profile (a default is selected for you with recommended settings), and choose a scanner from the 
Title: EC2 Scan 
° EC2-Classic Option Profile: * Authenticated Scan v.2 *k Select 
e EC2-VPC (All VPCs in a Region) pennant 0 - No Priority ~ 
. EC2-VPC (Selected VPC) Target Hosts 
7 Connector: qa-awsdev-1.11 4—— 
° Region 
Platform: © EC2-Classic (Selected Region) @ EC2-VPC (All VPCs in Region) 4— O) EC2-VPC (Selected VPC 
With this option there must be peering between all the VPCs in the selected region. 
e Tags Available Regions: US East (N. Virginia) <— 
° S ca n n e r a p pl la n ce Include hosts that have Any vy _ of the tags below. Add Tag 


AWS Public Assets x | <— 


e Scan targets for vulnerability 
and compliance 


Cloud Perimeter Scan 


New Cloud Perimeter Scan Tum help tips: On | Off Launch Help 


e Scan public DNS or public 


Cte internation Please review the information and Schedule the scan 


Cloud Information 


| P of AWS | n sta n ces O r Scan Details aa Sinsen See cma ices etree ONEONE EE 


Target Hosts Connector”: AWS_ Connector 


Service: EC2 
Scanner 


Az ure Vi rt ua | M ac h i nes KE DN arte ennn 


Option Profile*: Initial Options (default) 
. Scan Priority: 0 - No Priority 
using Qualys External etek 


Include AWS EC2 micro/nano/small 
instance types: 


Load balancers DNS list: 


scanners 


Assets Identified/Synched from Connector: 373 


Assets Qualified for scan: 261 
e S t t f Assets Submitted to scan: 261 
Ca n a rg e S O r Additional Load balancer targets from 37 
Connector: 


vulnerability and Seam 


Scanner Appliance: External << 


compliance posture —_ 


securing Azure Virtual Machines with Qualys 


Qualys Integration with Microsoft Azure Security Center 


e The Microsoft Azure Security Center provides a unified security 
management and monitoring console. 


e Qualys is integrated into Microsoft Azure Security Center's partner 
solutions for Vulnerability assessment. 
e The Security Center: 
e Detects virtual machines without the solution 
e Automates the deployment of lightweight Qualys Cloud Agents 
e Qualys Cloud Agents: 
e Gather vulnerability data and send to the Qualys Cloud Platform 


e Provides vulnerability and health monitoring data back to Security Center 


Integrating Qualys with Microsoft Azure Security Center 
e Using the Microsoft Azure Security Center integration to deploy 
Qualys Cloud Agents: 
e Reduces the operations overhead 


e Allows DevOps to get visibility into the security posture from within the 
Security Center 


Integrating Qualys with Microsoft Azure Security Center 


Recommendations 


L Download CSV report 


Secure Score Recommendations status 
1 completed control 15 Total 
i) 37% (~21 of 58 points) = 
O 19 completed 60 Total 
YZ recommendations 


x ml 


Each security control below represents a security risk you should mitigate. 
Address the recommendations in each control, focusing on the controls worth the most points. 
To get the max score, fix all recommendations for all resources in a control. Learn more > 


© vulnerability 


Recommendation 


A vulnerability assessment solution should be enabled on your virtual machines | Quick Fix! | 


x 
Resource health Resource exemption (preview) 
Unhealthy 
72 Now you can exempt 
136 Healthy < > irrelevant resources so > 
TOTAL 14 they do not affect your 
secure score. 
50 Learn more 
e 


Group by controls: (@ _) Off 
T Unhealthy resources Ty Resource Health na 


BEA 12 of 40 VMs & servers mmm 


Integrating Qualys with Microsoft Azure Security Center 


A Vulnerability assessment solution should be enabled on your virtual machines 


Remediating 1 resource 


Choose a vulnerability assessment solution: 


Recommended: Deploy ASC integrated vulnerability scanner powered by Qualys (included in Azure Defender for servers) 
© Deploy your configured third-party vulnerability scanner (BYOL - requires a separate license) 


O Configure a new third-party vulnerability scanner (BYOL - requires a separate license) 


Select an extension to deploy: 


© Qualys, Inc. 
QualysQSC2020 


Training Survey and Certification Exam 


Training Survey — https://forms.office.com/r/rsyOAja6Xz 


Certification Exam https://qualys.com/learnin 
—> __ hitpsi/qualys.comilearning 


Cloud Security Certification Exam 


Participants in this training course have the option to take the Cloud Security 
Certification Exam: 


= 30 multiple choice questions. 
= Answer 75% of the questions correctly to receive a passing score. 
= Candidates will receive 5 attempts to pass the exam. 


= You may use the PM presentation slides and lab tutorial supplement to help you answer the 
exam questions. 


= You may also use the “Help” menu (in the Qualys UI) to answer exam questions. 


Additional Resources 


e CloudView User Guide - https://www.qualys.com/docs/qualys-cloud-view- 
user-guide.pdf 


e Securing AWS with Qualys - https://www.qualys.com/docs/qualys- 
securing-amazon-web-services. pdf 


e Securing Azure with Qualys - https://www.qualys.com/docs/qualys- 
securing-azure-with-qualys.pdf 


e Qualys GitHub - https://github.com/Qualys-Public/CloudSecurity 


Qualys. 


Thank You 


training@qualys.com 


